On August 28th, 2019, Cisco published a Security Advisory titled “Cisco REST API Container for Cisco IOS XE Software Authentication Bypass Vulnerability”, disclosing an internally found vulnerability which affects the Cisco REST API container for Cisco IOS XE. An exploit could be used to bypass authentication on Cisco routers configured with the REST API support for Cisco IOS XE Software. This vulnerability was found by Cisco during internal testing.
The purpose of this post is to provide additional technical detail about the vulnerability, the specific Cisco hardware platforms that support the feature, and how the affected feature is enabled (as it is not enabled by default).
While the vulnerable code resides within the Cisco REST API container, the effects of the vulnerability, if exploited, will be experienced on the Cisco device as a whole. This is because exploiting this vulnerability could allow an attacker to submit commands through the REST API that will be executed on the affected device.
This is a good example of a “Scope Change” defined within the Common Vulnerability Scoring System (CVSS) standard.
The REST API container is an application that provides a set of RESTful APIs as an alternative method to manage devices running Cisco IOS-XE Software. It is located in a virtual services container, which is a virtualized environment running on the host device. It is also referred to as a virtual machine (VM), virtual service, or container. The REST API virtual service is not a native capability within Cisco IOS XE, but it is instead delivered as an open virtual application (OVA) package file.
Only the following Cisco platforms supports the affected Cisco REST API container and are therefore potentially impacted by this vulnerability:
- Cisco 4000 Series Integrated Services Routers
- Cisco ASR 1000 Series Aggregation Services Routers
- Cisco Cloud Services Router 1000V Series
- Cisco Integrated Services Virtual Router
The Cisco REST API OVA package was bundled with the Cisco IOS XE software on releases prior to 16.7.1. Starting with Cisco IOS XE release 16.7.1, the OVA package is not bundled with the Cisco IOS XE image, instead it needs to be downloaded from Cisco’s Software Center and transferred to the Cisco device on which it is to be enabled.
Regardless if bundled with Cisco IOS XE or not, the REST API service is never enabled by default on any Cisco IOS XE release on any of the affected platforms. Customers interested in using the REST API capabilities have to first enable such capabilities on each device by completing the following steps:
1) Login to the device by using an administrator-level account (with privilege level 15)
2) Install the REST-API container by using the Cisco Virtual Manager (VMAN) CLI
3) Enter the remote-management configuration mode and configure a local TCP port that will be bind to the management interface of the REST API service
4) Configure a management interface that will be used to process HTTP requests submitted to the REST API service
5) Enable the REST-API virtual service container
To further clarify, even if the OVA package is present on the device (either because it was shipped with the Cisco IOS XE release running on the device, or was later transferred to the device local storage), the REST API is not enabled and will not accept requests until all of above steps have been completed.
Cisco has addressed this vulnerability on a new version of the REST API package (named iosxe-remote-mgmt.16.09.03.ova) which is available for download from the Software Center. All future REST API packages will include this fix.
Cisco has also implemented additional safeguards in all future Cisco IOS XE releases that will prevent installation of a vulnerable OVA package, and which also prevent activation of an existing, already configured and vulnerable OVA package on a device.
In order for a device to be considered vulnerable, all of the following conditions must be met:
- A REST API OVA package with a version below 16.9.3 must be present on the device local storage
- The REST API virtual service is installed
- The REST API virtual service is configured
- The REST API virtual service is enabled
A device meeting some of the previous conditions, but not all of them, is considered not vulnerable.
Additional information can be found on the associated Cisco Security Advisory.
While this is a serious vulnerability that should be carefully assessed by customers to determine exposure and impact on their environment, the scope of affected Cisco customer base is contained by the limited number of Cisco hardware platforms supporting the feature and the fact the affected feature is not enabled by default.
Customers fulfilling all of the conditions above listed are recommended to review the advisory and take appropriate actions. Although, this vulnerability was found by Cisco during internal testing; our commitment to customers is to be open and transparent, especially as it relates to issues that could negatively impact their business. At Cisco, we always strive to clearly communicate with customers about technical or other issues that could potentially expose their organizations to risk.